Entanglement Enhances Security in Secret Sharing 
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We analyze tolerable quantum bit error rates in secret sharing protocols, and show that using 
entangled encoding states is advantageous in the case when the eavesdropping attacks are local. We 
also provide a criterion for security in secret sharing - a parallel of the Csiszar-Korner criterion in 
single-receiver cryptography. 
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In the last few years, the role of entanglement in dif- 
ferent branches of physics has been studied extensively, 
ranging from many-body physics [l|, Q to quantum in- 
formation processing In particular, the qualities and 
thresholds of entanglement for optimal quantum commu- 
nication performance have been found, e.g. with regard 
to teleportation dense coding ||, and cryptography 
Q . The necessity of entanglement in quantum computa- 
tion is still under investigation (see e.g. p}) • In a different 
context, there is an ongoing research on the behavior of 
entanglement in e.g. quantum phase transitions [H, local 
cloning and local state distinguishing 0. 

In this paper, we will investigate the advantage of en- 
tanglement in the security of a quantum communication 
task, known as secret sharing [If], [ll|, which is a com- 
munication scenario in which a sender Alice (A) wants 
to provide a (classical) message to two recipients (Bobs 

B\ , £?2 ) , in a way that each of the Bobs individually 
knows nothing about the message, but they can recover 
its content once they cooperate. In order to transmit a bi- 
nary message string {at}, Alice can then take a sequence 
of completely random bits {&i,i}, send it to B±, and at 
the same time send a sequence {&2,i} = {«i © to B2, 
where © denotes addition modulo 2. Thus a, = £»i,i©&2,i, 
assuring that the Bobs can recover the message if they co- 
operate, and yet none of them can learn anything on the 
message of Alice on his own, since the sequences {i>i,i}, 
\p2,i\ are completely random. 

An important issue is of course security, i.e. distribut- 
ing the message in a way that no third (actually fourth!) 
party learns about it. This can be achieved using quan- 
tum cryptography (e.g. by the BB84 scheme [12]). Al- 
ice simply has to establish secret random keys, indepen- 
dently, with both Bobs, and use them as one-time pads to 
securely send bits in the way required by secret sharing. 
We call this the BB84® 2 protocol. It has been argued [Tfl] 
that a more natural way of using quantum states in secret 
sharing is to send entangled states to the Bobs, and as a 
result, avoid establishing random keys with each of the 
Bobs separately, by combining the quantum and classical 
parts of secret sharing in a single protocol. We call the 
protocol in [ill ] as E4 (since it uses four entangled 
states). 

In this paper, we consider security thresholds for both 
E4 and BB84® 2 , i.e. the highest quantum bit error rates 



(QBERs) below which one-way distillation of secret key 
is possible. There are three main results proven in the 
paper. First, we provide a criterion for security of se- 
cret sharing, for which one-way classical distillation of 
secret key is possible between the sender and the re- 
ceivers: the parallel of the Csiszar-Korner criterion in 
(single-receiver, classical) cryptography [l3|. Secondly, 
we find the optimal quantum eavesdropping attacks on 
both E4 and BB84® 2 , that are individual, without quan- 
tum memory, and most importantly, local. Note that an 
attack which acts by local operations and classical com- 
munication (LOCC) on the particles sent through the two 
channels (A — >■ B\ and A — > B2) is physically more rele- 
vant in this distributed receivers case. We show that the 
threshold QBER for E4 is about 18.2 % higher than that 
of BB84® 2 . This shows, to our knowledge for the first 
time, that it is more secure to use entangled encoding 
states in secret sharing. Thirdly, we provide an interest- 
ing general method for dealing with local eavesdropping 
attacks. 

The protocols. In our setting, a secret sharing protocol 
can be characterized by {\^'°), ®0a' }, where 

j labels the different encoding "bases" used, \i/^' a ) are 
two-qubit states send by Alice to the Bobs if she uses ba- 
sis j and wants to communicate the logical value a, while 



erj' © K is a set of observables compatible with basis j 
(so that if the corresponding measurement is performed 
by the Bobs, it allows them to recover a proper logical 
bit of Alice). In practice, B\ {B%) randomly measures 
the observables a J { (erj ) on states received from Alice 
in each round. After the transmission is completed, the 
Bobs announce the observables they have used in each 
round to Alice, who, judging on whether this combina- 



tion of observables is present in ay © a 2 ' for the partic- 
ular j she had used in that round, tells the Bobs whether 
to keep or reject their measured results for that round - 
this is called the sifting phase. The BB84® 2 protocol is 
defined as 
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where |x±) (\y±)) are eigenstates of the Pauli a x (o~ y ) 
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matrix. The fact that there are two states corresponding 
to a given \ip^ a ) simply means that each of them is sent 
randomly with probability 1/2. The E4 protocol 10] (see 
also [15]), on the other hand, is defined as 
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where |</>±> = (|00)±|11))/A |V4) = (|00)±t|ll))/>/2, 
and |0), |1) are eigenstates of the Pauli a z opera- 
tor. The question is which of these protocols toler- 
ates a higher QBER. After the sifting phase, let the 
bits of Alice and the Bobs, obtained in a given set 
of rounds, be described by the probability distribution 
PAB 1 B 2 ( a i b\, b 2 ). The corresponding QBER is QBER = 
E a ,b 1 ,b 2 PAB 1 B 2 (a,b 1 ,b 2 )[l - S a>bl@b2 ]. 

Error correction and privacy amplification. Knowing 
QBER, we want to perform an one-way error correction 
procedure, such that all errors are corrected with ar- 
bitrarily high probability. In standard (single-receiver) 
cryptography, error correction can be performed either 
from the sender to the receiver, or vice-versa. In secret 
sharing, there are two separated receivers, and each of 
them individually has bits that are completely random. 
So there is no way for Alice to perform one-way error 
correction to Bobs - whatever she sends to each of them 
individually, it will not be enough for them to correct 
errors, unless she sends the total information which is of 
course not the solution we are after. 

The only remaining option is that each of Bobs sends 
some information to Alice, judging on which she is able 
to correct her bits {a^} in a way that for every i: aj = 
&i,i©&2,i- Fortunately, this is indeed possible. We present 
here an idea how this can be achieved. We will adapt for 
our needs, a standard method in classical communica- 
tion th eory - namely, that of random coding (see e.g. 
Til . 17 . ljf). Let each of the three parties have n bits af- 
ter the sifting phase. The error correction procedure uses 
a random coding function / : {0, 1}™ — » {0, l} m , known 
to all three parties (and the rest of the world), where 
m < n will be chosen later. This function assigns a ran- 
dom m-bit codeword to each of 2 n possible n-bit strings. 
Error correction goes as follows: B\ and B2 calculate 
f({bi,i}) and /({&2,i}) respectively, and send their m-bit 
codewords to Alice. After this, Alice looks for all n-bit 
sequences {b' M }, {b' 2l } such that f{{b' lt }) = 
/({&2,J) = f({ki,i}), and chooses a pair {&' M }, {b 2i }, 
for which the Hamming distance dist({ai}, {b' 2 4 © b' 2 4 }) 
is minimal. It can be shown that in the limit n — > 00, 
this strategy is successful with arbitrarily high probabil- 
ity, provided 



m> n[l + fc(QBER)]/2, 



(1) 



where h(p) — —p log 2 p— ( 1 — p) log 2 ( 1 — p) isthe binary 
entropy function. This result is quite intuitive, since in a 



standard bipartite error correction, the length of a code- 
word has to fulfill m > n/i(QBER). In secret sharing 
however, the two Bobs together have to provide Alice 
with n/i(QBER) + n bits. These additional n bits are 
needed, since a sequence of one of Bobs taken separately 
is completely random for Alice. As a result each of Bobs 
has to send a code of length given by Eq. ([I]) . 

After the error correction stage is completed, Alice and 
the Bobs need to perform privacy amplification, in order 
to obtain a possibly shortened, but a completely secure 
key, on which an eavesdropper has no information. Pri- 
vacy amplification presents no additional difficulty in a 
secret sharing scenario, as compared to standard bipar- 
tite cryptography, since its performance, in principle, re- 
quires no additional communication between Alice and 
the Bobs. It is enough that all parties apply the same 
hashing function [3] for shortening the key, and if there 
were no errors, in the sense that for all i, di — bij © ^2,1, 
then there will be no errors in the shortened key 

LOCC attacks. We will analyze security of the proto- 
cols with the following restrictions imposed on an eaves- 
dropper: (i) Eavesdropper can perform only individual 
attacks; (ii) Individual attacks are LOCC operations with 
respect to partition of the encoding states between B\ 
and B2', (iii) Eavesdropper is not allowed any kind of 
quantum memory. The restriction (i) means that an 
eavesdropper can interact, in a given round, with only 
the quantum state send by Alice to Bobs in that round. 
Restriction (ii) is at the heart of the problem we analyze, 
and is natural in the distributed receivers scenario. Note 
here that if no LOCC condition is imposed, then the se- 
curity analyses of the two-receiver E4 and single-receiver 
BB84 protocols are isomorphic. The justification of (iii) 
is based on current technology limitations - no long last- 
ing quantum memory has been developed so far. 

Let the probability distribution pABE{o-,b,e) describe 
single-round bit values, a of Alice, b = &iffi&2 of the Bobs, 
and e of an eavesdropper, after the eavesdropper's attack 
and after the sifting stage is completed. In single-receiver 
cryptography, the maximal one-way secret key distilla- 
tion rate K is given by the Csiszar-Korner criterion [3] : 
K = I(A : B) - mm(I(A : E), I(B : E)), where I( : ) 
is the mutual information between the corresponding par- 
ties. As discussed in previous paragraphs, error correc- 
tion in secret sharing can be performed only in one direc- 
tion (from Bobs to Alice). Thus the secret key distillation 
rate in case of secret sharing is K = I (A : B) — I(B : E), 
which is therefore the parallel of the Csiszar-Korner cri- 
terion in (single-receiver) cryptography (l3j . 

In order to analyze eavesdropping attacks, consider the 
state \ipi' a ) being sent from Alice to Bobs. Collaborat- 
ing eavesdroppers E±, E2, acting on channels conecting 
A with B\ and B2 respectively, can perform an arbitrary 
LOCC operation £ (completely positive trace-preserving 
LOCC map) to create ^ B>BlBa = £(|^''W' a |)- 
The operation is LOCC with respect to the partition 
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Bi,Ei | B 2 ,E 2 . Subsequently, E 1: E 2 perform an LOCC 
measurement on their subsystems in order to obtain in- 
formation about the bit shared by Alice with Bobs, while 
sending possibly-perturbed subsystems B\, B 2 to their 
legitimate recipients. Without loosing generality, we can 
restrict this measurement to have only two possible out- 
comes (0 or 1), since only the value of a transmitted bit 
is of interest to the eavesdroppers. Hence we model the 
measurement by a two element positive operator valued 
measurement (POVM): 11^^(0), He 1 e 2 {1)- Obviously 
H-E 1 E 2 (e) > 0, and TI Ei e 2 {0) +IIe i£ ; 2 (1) = t Bl E 2 , but 
here we additionally impose the constraint that the mea- 
surements are LOCC-based. 

The probability distribution pA B E(a,b,e) is given 

by T. j p{j,ame{\^ a ){^< a \)n BlB% {j ) b) ® n BlB3 (e)], 

where p(j, a) is the probability that A sends the state 
\ij}^ a ) in a given round, whereas {U BlB2 (j, b)} is a POVM 
corresponding to Bobs' measurement in basis j (com- 
patible with the state sent by Alice), where the sum of 
their individual measured values, modulo 2, is equal b: 
b = bi © b 2 . Probability normalization condition reads 
Hb x b 2 {j, 0) + U Bl B 2 (j, 1) = t B iB2- We assume the con- 
vention that if one of Bobs (locally) performs a mea- 
surement characterized by a Pauli matrix crj, then he 
ascribes the bit value or 1, once in a measurement 
he projects on an eigenvector with eigenvalue — 1 or 1 
respectively. To make Pabe{0', b, e) more revealing, we 
introduce non-trace-preserving completely positive oper- 
ations So, £i • ® H% h-> U°H <g> U°H acting on 
the input and output Hilbert spaces of the Bobs, and 
defined as £ e (g Bl B 2 ) = T^EiE 2 [S(QB 1 B 2 )^lE 1 E 2 (e)]. £ e 
represents the disturbance experienced by a state trans- 
mitted to the Bobs, once the eavesdroppers have obtained 
a particular value e in their measurement. Notice that 
even though each operation £ e is not trace-preserving 
the operation £q + S i is - it corresponds to a situation 
when one averages over the results of the eavesdrop- 
pers' measurement. We can now write pabe((i, b, e) = 
J2 jP (j,a)Tr[£ e (\^ a )(^ a \)Tl BlB2 (j,b)]. It is now clear, 
that the eavesdropping strategy is completely defined by 
specifying the two operations So, £\, and for a given pro- 
tocol yields a joint probability distribution pabe(o>, b, e). 

To calculate the QBER threshold, one should now look 
for the highest value of QBER, for which it is still possible 
to find eavesdropping LOCC operations £ e , so that the 
resulting probability distribution pabe enjoys the prop- 
erty I (A : B) = I(B : E). Forgetting for the moment 
about the LOCC constraint, the problem of finding the 
QBER threshold is a semi-definite program. To see this, 
let us denote H out = H B u *®H'jg, H in = ® W B2 and 
recall the Jamiolkowski isomorphism [l9| between com- 
pletely positive maps £ e and positive semi-definite oper- 
ators P £e S £(H out <g> H in ): P £c = £ e ® 

where = H K) ® N) is an unnormalized maxi- 

mally entangled state in the space TC m (E)H ln , and X is an 



identity operation on H m . Hence our problem variables 
are entries of two 16 x 16 matrices, which are required to 
be positive semi-definite. Trace-preservation condition of 
So + Si translates to a condition on positive operators: 
Tr^out (Ps + Pei) — 1-H in - This condition is obviously 
linear in the matrix elements of Pg c . Similarly, pabe is 
also linear, and hence the security condition is linear. Fi- 
nally, the QBER, which we want to maximize, is linear. 
In order to deal with an LOCC constraint, we will im- 
pose the weaker "PPT constraint" : positivity after par- 
tial transposition of the P^ c operators - we transpose 
subsystem K™ 2 ' ® Hp .. This is a strictly necessary con- 
dition for LOCC [20(. However, we will show that the 
optimal PPT maps are also LOCC. 

Entangled vs. product encoding. We now present the 
solutions for maximal tolerable QBER for BB84® 2 and 
E4 protocols found by solving the corresponding semi- 
definite programs, using the SeDuMi package. Although 
solving a semi-definite program provided us only with nu- 
merical solutions, we were able to recognize their analyt- 
ical form, and hence all results presented are analytical. 

For the BB84® 2 protocol, the optimal 
P £BB84 ®2 , in the computational basis, = 

^diag[4, 2, 2, 1,2, 4, 1,2, 2, 1,4, 2, 1,2, 2, 4] + the 
16x16 matrix (ttij) whose only nonzero elements 
are 0-1,4 = «5,8 = 05,12 = "9,12 = 01346 = "1,13 = 

"2,14 = (4,15 = a 3,14 = 0<3,15 = 04,16 = «8,9 = */9, 

"1,16 = o 6j n = 2/9, a 2 ,3 = 05,9 = a 6> 7 = 

"6,10 = 07,11 = 08,12 = Ol0,ll = Oi4,i5 = 1/9, 

07,10 = —04,13 = 1/18, and hermitian conjugates. 

The optimal Pc. B bs4® 2 has the same entries on the 

1 

diagonal, and the anti-diagonal, while the remain- 
ing ones are multiplied by — 1. These optimal PPT 
maps will later on proven to be LOCC. The optimal 
QBER(BB84® 2 ) = 5/18 w 0.2778. 

Moving now to the E4 protocol, the optimal P^ — 
diag[et, b, b, d, b, a, d, b, b, d, a, b, d, b, 6, a] + the 16x16 ma- 
trix (Pij) whose only nonzero entries are j3i 4 = (3* 13 = 
04,16 = 013, 16 = c, P1A6 = a, 04,13 = /*, and the 
hermitian conjugates, where a = 3 — 2v2, b = a/y2, 
c = 6exp(i7r/4), d = a/2, f = id. The optimal Pgsi is 
the same as PgB4, but with c replaced by — c. Again these 
optimal PPT maps will later on proven to be LOCC. The 
optimal QBER(E4) = 2(V2 - 5/4) w 0.3284. Interest- 
ingly therefore, QBER(E4) is about 18.2 % higher than 
QBER(BB84® 2 ), which indicates that indeed the pro- 
tocol using entangled states is more secure, in the case 
of LOCC eavesdropping. In FigQ] we show the maxi- 
mum achievable secret-key rates for the two protocols as 
a function of measured QBER. It is clear that E4 is bet- 
ter not only because of its higher QBER threshold, but 
because of its higher key rate for all QBER (see Fig. [TJ 
more details will be presented elsewhere pH ) 

Explicit LOCC forms of the optimal attacks. We now 
show that the optimal attacks are separable. We will 
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FIG. 1: Maximal achievable secret-key rates K = I (A : B) 
I(B : E) for E4 and BB84® 2 , against local attacks. 



subsequently show that the attacks are actually LOCC. 

Separability of the optimal attack for the BB84® 2 case 
is evident once we write it in the form (the procedure 
leading to this form will be presented elsewhere (2lT |) 
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where the local Kraus operators K^ 1 ^ 2 , Kf B ^ 2 are 
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71 



(-l) e V2 exp[i(0i - tt/4] 

exp[z(0 2 + tt/4)] (-l) e V / 2exp[i(0i + cfe) 
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2V3 



exp[ 



y/2 exp[-i(</»i + 7r/4)] 

-»(#a - Jr/4)] v^exp[i(<^i + 2 )] 



respectively. Since K e ,B 2 does not depend on e 
(equivalently, -ftT e ,Bi can also be chosen to be so), 
we write it as Kb 2 - The full operation £ BB84 = 



cBB84"- 
c 



ie{0,7r} 



I® 



<; >2 (Elo P i^W)!®!^ 1 / 2 *, which 

shows that it is indeed LOCC, since it can be realized as 
follows. First an operation given by the four Kraus oper- 
ators Kg 1 ^ 2 is performed on the second subsystem, and 
the measurement result (<pi, (f>%) is transmitted to the first 
subsystem. For given values of (rpi,^) received by the 
first subsystem, an operation using the two Kraus opera- 
tors Kq 1 ^ 2 , Kf B ^ 2 is performed on the first subsystem. 
This is a legitimate deterministic LOCC operation since 
£^ 2e{ o,. } ^ 2t ^ 2 = 1> and for every 
Ee=o K i^ K t^B? = a - Notc that it; requires only one- 
way classical communication. Summing up, £, 



BB84^ 



arc 



separable trace-decreasing operations, such that when 
added together, they form a trace-preserving LOCC op- 
eration £ BB84 ; and hence they can both be realized via 
LOCC. 



In a similar way, we can show that the optimal PPT at- 
acks on the E4 protocol are also LOCC. Separable Kraus 
decompositions of £f A read 



where the sum runs over 4>\ , <j>2 , $3 € {0, 2tt/3, 47r/3}, and 
are respectively 



lf<Pl,<P2,<P3 Tf<Pl,92,<P3 




27(1 + s/2) 



exp[ 



(-l)^ 1 / 4 exp(%) 
exp(z0 2 ) (-l^^exp^g) 

2 1 / 4 exp[-i(0i +tt/4)] 

-1(^2 -tt/4)] 2 1 / 4 exp(-^ 3 ) 



operation 
1 ® 



Again we can write the full 

cE4 cE4 , cE4 

K B f 2 ^ (^ =0 K*$"+ a ®lp ' 03t ® l) 1 ® 

Kg 1 ' '„ which shows that it is an LOCC, since 
it can be realized by performing an operation on 
the second subsystem using the 27 Kraus opera- 
tors j^i^ 2 ^ 3 ^ communicating the measurement 
result (0i, fa, ^3 ) to the first subsystem, on which 
an appropriate operation using the two Kraus oper- 
(e = 0, 1) is performed. Note that 



ators K^ 2 ' 93 



02,03£{O,27r/3,47r/3} ^ B 2 



Ki 



= 1, and for 



every Ee=o K^'^K^ 3 = 1. 

Typical noise. Judging the usefulness of the two pro- 
tocols by comparing their QBER thresholds, may apriori 
be not sensible from an experimental point of view, as 
in an experiment, we face noise caused by natural fac- 
tors, as well as by the eavesdropper. Hence a relevant 
question is: Which protocol allows a secure key trans- 
mission in presence of a higher level of noise, of the type 
present in an experiment? Consider a typical situation 
when we send the qubits via two fibers. A usual model 
of noise here would be that each channel (fiber) is an 
isotropically depolarizing channel - and they are inde- 
pendent. Given a channel with a fixed level of depolar- 
ization, we ask: Can we securely extract some secret key 
using either the E4 or the BB84® 2 protocol? This may 
not be equivalent to comparing QBER thresholds, be- 
cause different states are used in the two protocols, which 
under the same noise level, may behave differently, and 
result in different QBERs - in particular it could hap- 
pen that in such situation it might be advantageous to 
apply a protocol with lower QBER threshold. In this 
environment, however, the QBERs for E4 and BB84® 2 
depend in the same way on the depolarization parame- 
ter. If an isotropically depolarizing qubit channel acts 
as V{p) = (1 - p)p +pl/2, then the QBER caused by 
the V® 2 channel is QBER = p(l -p/2) for both the pro- 
tocols. Comparing protocols using QBER thresholds as 
a figure of merit is legitimate both from theoretical and 
practical point of view. 
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Summary. We have for the first time shown that entan- 
glement in the encoding states provide a better security 
in secret sharing. The security was judged by calculat- 
ing QBER threshold for secure communication, under 
assumption of local individual quantum attacks without 
quantum memory We have found the optimal attacks 
in such scenario for the two paradigmatic protocols: one 
using product states and the other using entangled ones 
for encoding. Further results include the parallel of the 
Csiszar-Korner criterion for security in (single-receiver) 
cryptography in the distributed-receivers case, and use- 
fulness of the protocols in the presence of a depolarizing 
environment. 
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